QUESTION 125Your network contains an Active Directory domain named contoso.com.You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.You install the ATA Gateway on a server named Server1.To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect events.You need to configure the query filter for event subscriptions on Server1.How should you configure the query filter? Choose two

Answer: CHExplanation:https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collectionTo enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733, 4728, 4729,4756, 4757.These can either be read automatically by the ATA Lightweight Gateway or in case the ATA LightweightGateway is not deployed,it can be forwarded to the ATA Gateway in one of two ways, by configuring the ATA Gateway to listen for SIEMevents or by configuring Windows Event Forwarding.Event ID: 4776 NTLM authentication is being used against domain controllerEvent ID: 4732 A User is Added to Security-Enabled DOMAIN LOCAL Group,Event ID: 4733 A User is removed from Security-Enabled DOMAIN LOCAL GroupEvent ID: 4728 A User is Added or Removed from Security-Enabled Global GroupEvent ID: 4729 A User is Removed from Security-Enabled GLOBAL GroupEvent ID: 4756 A User is Added or Removed From Security-Enabled Universal GroupEvent ID: 4757 A User is Removed From Security- Enabled Universal Group

QUESTION 126Your network contains an Active Directory domain named contoso.com.The domain contains 10 computers that are in an organizational unit (OU) named OU1.You deploy the Local Administrator Password Solution (LAPS) client to the computers.You link a Group Policy object (GPO) named GPO1 to OU1, and you configure the LAPS password policy settings in GPO1.You need to ensure that the administrator passwords on the computers in OU1 are managed by using LAPS.Which two actions should you perform? Each correct answer presents part of the solution.

QUESTION 127Your network contains an Active Directory domain named contoso.com.You plan to deploy an application named App1.exe.You need to verify whether Control Flow Guard is enabled for App1.exe.Which command should you run?

Answer: BExplanation:ttps://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspxControl Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memorycorruption vulnerabilities.By placing tight restrictions on where an application can execute code from, it makes it much harder for exploitsto execute arbitrary code through vulnerabilitiessuch as buffer overflows.To verify if Control Flow Guard is enable for a certain application executable:-Run the dumpbin.exe tool (included in the Visual Studio 2015 installation) from the Visual Studio commandprompt with the /headers and /loadconfig options:dumpbin.exe /headers /loadconfig test.exe.The output for a binary under CFG should show that the header values include “Guard”, and that the loadconfig values include “CF Instrumented” and “FID tablepresent”.1

QUESTION 128Your network contains an Active Directory domain named contoso.com.The domain contains 10 servers that run Windows Server 2016 and 800 client computers that run Windows 10.You need to configure the domain to meet the following requirements:– Users must be locked out from their computer if they enter an incorrect password twice.– Users must only be able to unlock a locked account by using a one-time password that is sent to their mobile phone.You deploy all the components of Microsoft Identity Manager (MIM) 2016.Which three actions should you perform before you deploy the MIM add-ins and extensions? Each correct answer presents part of the solution.

A. From a Group Policy object (GPO), configure Public Key PoliciesB. Deploy a Multi-Factor Authentication provider and copy the required certificates to the MIM server.C. From the MIM Portal, configure the Password Reset AuthN Workflow.D. Deploy a Multi-Factor Authentication provider and copy the required certificates to the client computers.E. From a Group Policy object (GPO), configure Security Settings.

QUESTION 129The network contains an Active Directory domain named contoso.com.The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2016.All client computers run Windows 10 and are domain members.All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.An OU named OU2 contains the computer accounts of the computers in the marketing department.A Group Policy object (GPO) named GP1 is linked to OU1.A GPO named GP2 is linked to OU2.All computers receive updates from Server1.You create an update rule named Update1.You need to ensure that you can encrypt the operating system drive of VM1 by using BitLocker.Which Group Policy should you configure?

Answer: CExplanation:As there is not a choice “Enabling Virtual TPM for the virtual machine VM1”, then we have to use a fall-backmethod for enabling BitLocker in VM1.https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/QUESTION 130The Job Title attribute for a domain user named User1 has a value of Sales Manager.User1 runs whoami /claims and receives the following output:

Kerberos support for Dynamic Access Control on this device has been disabled.You need to ensure that the security token of User1 has a claim for Job Title.What should you do?

A. From Windows PowerShell, run the New-ADClaimTransformPolicy cmdlet and specify the -NameparameterB. From Active Directory Users and Computers, modify the properties of the User1 account.C. From Active Directory Administrative Center, add a claim type.D. From a Group Policy object (GPO), configure KDC support for claims, compound authentication, and Kerberos armoring.

Answer: CExplanation:From the output, obviously, a claim type is missing (or disabled) so that the domain controller is not issuingtickets with the “Job Title” claim type.

QUESTION 131Your network contains an Active Directory domain named contoso.com.You deploy a server named Server1 that runs Windows Server 2016. Server1 is in a workgroup.You need to collect the logs from Server1 by using Log Analytics in Microsoft Operations Management Suite (OMS).What should you do first?

QUESTION 132Your network contains an Active Directory domain named contoso.com.The domain contains two DNS servers that run Windows Server 2016.The servers host two zones named contoso.com and admin.contoso.com.You sign both zones.You need to ensure that all client computers in the domain validate the zone records when they query the zone.What should you deploy?

Answer: CExplanation:You should use Group Policy NRPT to for a DNS Client to perform DNSSEC validation of DNS zone records.

QUESTION 133Your network contains an Active Directory domain named contoso.com.The domain contains two global groups named Group1 and Group2.A user named User1 is a member of Group1.You have an organizational unit (OU) named OU1 that contains the computer accounts of computers that contain sensitive data. A Group Policy object (GPO) named GPO1 is linked to OU1. OU1 contains a computer account named Computer1.GPO1 has the User Rights Assignment configured as shown in the following table.

You need to prevent User1 from signing in to Computer1. What should you do?

Answer: DExplanation:https://technet.microsoft.com/en-us/library/cc957048.aspx“Deny log on locally”Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights AssignmentDetermines which users are prevented from logging on at the computer.This policy setting supercedes the Allow Log on locally policy setting if an account is subject to bothpolicies.Therefore, adding User1 to Group2 will let User1 to inherit both policy, and then prevent User1 to sign in toComputer1.

QUESTION 134You are creating a Nano Server image for the deployment of 10 servers.You need to configure the servers as guarded hosts that use Trusted Platform Module (TPM) attestation.Which three packages should you include in the Nano Server image? Each correct answer presents part of the solution.

Answer: ABFExplanation:https://docs.microsoft.com/en-us/system-center/vmm/guarded-deploy-host?toc=/windows- server/virtualization/toc.jsonFor an SCVMM Managed Nano Server Hyper-V case:If your host is running Nano Server Hyper-V host, it should have the Compute, SCVMM-Package, SCVMMCompute, SecureStartup, and ShieldedVMpackagesinstalled.https://docs.microsoft.com/en-us/windows-server/get-started/deploy- nano-serverFor an standalone Nano Server Hyper-V host, no SCVMM related packages are required, only Compute,SecureStartup, and ShieldedVM packages are required.This table shows the roles and features that are available in this release of Nano Server, along with theWindows PowerShell options that will install the packagesfor them.Some packages are installed directly with their own Windows PowerShell switches (such as -Compute); othersyou install by passing package names to the ­Package parameter, which you can combine in a comma-separated list. You can dynamically list availablepackages using the Get-NanoServerPackage cmdlet.

QUESTION 135You plan to enable Credential Guard on four servers.Credential Guard secrets will be bound to the TPM.The servers run Windows Server 2016 and are configured as shown in the following table.